A Generic Framework for Three-Factor
Authentication: Preserving Security and
Privacy in Distributed Systems
Xinyi Huang, Yang Xiang
Member, IEEE
, Ashley Chonka, Jianying Zhou, and
Robert H. Deng
Senior Member, IEEE
Abstract—As part of the security within distributed systems, various services and resources need protection from unauthorized use. Remote authentication is the most commonly used method to determine the identity of a remote client. This paper investigates a systematic approach for authenticating clients by three factors, namely password, smart-card and biometrics. A generic and secure framework is proposed to upgrade two-factor authentication to three-factor authentication. The conversion not only significantly improves the information assurance at low-cost but also protects client privacy in distributed systems. In addition, our framework retains several practice-friendly properties of the underlying two-factor authentication, which we believe is of independent interest.
Index Terms—Authentication, distributed systems, security, privacy, password, smart-card, biometrics.
!
1 I
NTRODUCTIONI
N a distributed system, various resources are dis-tributed in the form of network services provided and managed by servers. Remote authentication is the most commonly used method to determine the identity of a remote client. In general, there are three authentication factors:1) Something the client knows: password; 2) Something the client has: smart-card;
3) Something the client is: biometric characteristics (e.g., fingerprint, voiceprint and iris scan). Most early authentication mechanisms are solely based on password. While such protocols are rel-atively easy to implement, passwords (and human generated passwords in particular) have many vul-nerabilities. As an example, human generated and memorable passwords are usually short strings of characters and (sometimes) poorly selected. By ex-ploiting these vulnerabilities, simple dictionary at-tacks can crack passwords in a short time [1]. Due to these concerns, hardware authentication tokens are introduced to strengthen the security in user authenti-cation, and smart-card-based password authentication has become one of the most common authentication mechanisms.
∙ X. Huang and R. H. Deng are with the School of Information Systems, Singapore Management University, Singapore 178902.
E-mail: xyhuang@smu.edu.sg, robertdeng@smu.edu.sg.
∙ Y. Xiang and A. Chonka are with the School of Information Technology, Deakin University, Australia.
E-mail: yang@deakin.edu.au, ashley@deakin.edu.au.
∙ J. Zhou is with the Institute for Infocomm Research (I2R), Singapore 138632. E-mail: jyzhou@i2r.a-star.edu.sg.
Smart-card-based password authentication pro-vides two-factor authentication, namely a successful login requires the client to have a valid smart-card and a correct password. While it provides stronger security guarantees than password authentication, it could also fail if both authentication factors are com-promised (e.g., an attacker has successfully obtained the password and the data in the smart-card). In this case, a third authentication factor can alleviate the problem and further improve the system’s assurance. Another authentication mechanism is biometric au-thentication [2], [3], [4], where users are identified by their measurable human characteristics, such as fingerprint, voiceprint and iris scan. Biometric char-acteristics are believed to be a reliable authentication factor since they provide a potential source of high-entropy information and cannot be easily lost or forgotten. Despite these merits, biometric authentica-tion has some imperfect features. Unlike password, biometric characteristics cannot be easily changed or revoked. Some biometric characteristics (e.g., finger-print) can be easily obtained without the awareness of the owner1. This motivates the three-factor authen-tication, which incorporates the advantages of the authentication based on password, smart-card and biometrics.
1.1 Motivation
The motivation of this paper is to investigate a sys-tematic approach for the design of secure three-factor authentication with the protection of user privacy.
1. Section 3.2 presents three other subtle issues in biometric authentication (especially in distributed systems).
Three-factor authentication is introduced to incor-porate the advantages of the authentication based on password, smart-card and biometrics. A well de-signed three-factor authentication protocol can greatly improve the information assurance in distributed sys-tems. However, the previous research on three-factor authentication is confusing and far from satisfactory.
Security Issues. As we will show shortly (in Sec-tion 1.3), most existing three-factor authenticaSec-tion pro-tocols are flawed and cannot meet security require-ments in their applications. Even worse, some im-provements of those flawed protocols are not secure either. The research history of three-factor authentica-tion can be summarized in the following diagram.
NEW PROTOCOLS → BROKEN → IMPROVED PRO-TOCOLS →BROKENAGAIN→ ⋅ ⋅ ⋅.
Privacy Issues. Along with the improved security fea-tures, three-factor authentication also raises another subtle issue, namely how to protect the biometric data. Not only is this the privacy information of the owner, it is also closely related to the security in the authentication. As biometrics cannot be easily changed, the breached biometric information (either on the server-side or the client-side) will make the bio-metric authentication totally meaningless. However, this issue has received less attention than it deserves from protocol designers.
We believe it is worthwhile, both in theory and in practice, to investigate a generic framework for three-factor authentication, which can preserve the security and the privacy in distributed systems.
1.2 Contributions
The main contribution of this paper is a generic frame-work for three-factor authentication in distributed systems. The proposed framework has several merits as follows.
First, we demonstrate how to incorporate biomet-rics in the existing authentication based on smart-card and password. Our framework is generic rather than instantiated in the sense that it does not have any additional requirements on the underlying smart-card-based password authentication. Not only will this simplify the design and analysis of three-factor authentication protocols, but it will contribute a secure and generic upgrade from two-factor authentication to three-factor authentication possessing the practice-friendly properties of the underlying two-factor au-thentication system.
Second, authentication protocols in our framework can provide true three-factor authentication, namely a successful authentication requires password, smart-card and biometric characteristics. In addition, our framework can be easily adapted to allow the server to decide the authentication factors in user authenti-cation (instead of all three authentiauthenti-cation factors).
Last, in the proposed framework clients’ biometric characteristics are kept secret from servers. This not only protects user privacy but also prevents a single-point failure (e.g., a breached server) from undermin-ing the authentication level of other services. Further-more, the verification of all authentication factors is performed by the server. In particular, our framework does not rely on any trusted devices to verify the authentication factors, which also meets the imperfect feature of distributed systems where devices cannot be fully trusted.
1.3 Related Work
Several authentication protocols have been proposed to integrate biometric authentication with password authentication and/or smart-card authentication. Lee
et al. [5] designed an authentication system which does not need a password table to authenticate reg-istered users. Instead, smart-card and fingerprint are required in the authentication. However, due to the analysis given in [6], Lee et al.’s scheme is insecure under conspiring attack.
Lin and Lai [7] showed that Leeet al.’s scheme is vulnerable to masquerade attack. Namely, a legitimate user (i.e., a user who has registered on the system) is able to make a successful login on behalf of other users. An improved authentication protocol was given by Lin and Lai to fix that flaw. The new protocol, how-ever, has several other security vulnerabilities. First, Lin-Lai’s scheme only provides client authentication rather than mutual authentication, which makes it susceptible to the server spoofing attack [8]. Second, the password changing phase in Lin-Lai’s scheme is not secure as the smart-card cannot check the correct-ness of old passwords [9]. Third, Lin-Lai’s scheme is insecure under impersonation attacks due to the anal-ysis given by Yoon and Yoo [10], who also proposed a new scheme. However, the new scheme is broken and improved by Lee and Kwon [11].
In [12], Kimet al.proposed two ID-based password authentication schemes where users are authenticated by smart cards, passwords and fingerprints. However, Scott [13] showed that a passive eavesdropper (with-out access to any smart card, password or fingerprint) can successfully login to the server on behalf of any claiming identity after passively eavesdropping only one legitimate login.
Bhargav-Spantzelet al.proposed a privacy preserv-ing multi-factor authentication protocol with biomet-rics [14]. The authentication server in their protocol does not have the biometric information of regis-tered clients. However, the biometric authentication is implemented using zero knowledge proofs [15], which requires the server to maintain a database to store all users’ commitments and uses costly modular exponentiations in the finite group.
In [16], Uludag et al. presented various methods of binding a cryptographic key with the biometric
template of a user stored in the database. The cryp-tographic key cannot be revealed without a success-ful biometric authentication. However, the biometric database could put client privacy at risk. In order to protect client privacy, Fan and Lin [17] proposed a three-factor authentication scheme with privacy protection on biometrics. The essential approach of their scheme is as follows: (1) During the registra-tion, the client chooses a random string and encrypts it using his/her biometric template; (2) The result (called sketch) is stored in the smart-card; and (3) During the authentication, the client must convince the server that he/she can decrypt the sketch, which needs correct biometrics (close to the biometric tem-plate in the registration). As we shall show shortly, our framework employs a different approach. The client in our framework uses his/her biometrics to generate a random string. This leads to a generic three-factor authentication protocol from smart-card-based password authentication. Very recently, Li and Hwang [18] proposed another biometric-based remote client authentication scheme using smart-card and password. Our analysis, which will be given shortly, points out two limitations of Li-Hwang’s scheme in practical application. In addition, there are no satis-factory solutions for three-factor authentication with additional properties (e.g., key-agreement with for-ward security), which have been studied intensively in smart-card-based password authentication.
Organization of This Paper.
The remainder of this paper is organized as follows. Section 2 briefly reviews the preliminaries of our framework. After that, we describe the challenges of biometric authentication in distributed systems in Sec-tion 3. The generic framework for three-factor authen-tication is given in Section 4. Section 5 provides the analysis of the proposed framework, and its formal security proofs are given in the supplementary file. Section 6 concludes this paper.
2 P
RELIMINARIESThis section reviews the definitions of smart-card-based password authentication, three-factor authen-tication and fuzzy extractor.
2.1 Smart-Card-Based Password Authentication
Definition 1: A smart-card-based password authen-tication protocol (hereinafter referred to as SCPAP) consists of four phases.
2-Factor-Initialization: The server (denoted by 𝒮) generates two system parameters 𝑃 𝐾 and 𝑆𝐾. 𝑃 𝐾
is published in the system, and 𝑆𝐾 is kept secret by 𝒮. An execution of this algorithm is denoted by 2-Factor-Initialization(𝜅)→ (𝑃 𝐾, 𝑆𝐾). Here, 𝜅is sys-tem’s security parameter which determines the size of
𝑃 𝐾 and 𝑆𝐾, and the security level of cryptographic algorithms.
2-Factor-Reg: The client (denoted by 𝒞), with an initial password𝑃 𝑊, registers on the system by run-ning this interactive protocol with 𝒮. The output of this protocol is a smart-card𝑆𝐶. An execution of this protocol is denoted by
𝒞[𝑃 𝑊]⇐2=======−Factor−Reg⇒ 𝒮[𝑆𝐾]→𝑆𝐶.
The information in square brackets indicates the secret value(s) known by the corresponding party. (The same notation will be used in the remainder of this paper.) 2-Factor-Login-Auth: This is another interactive pro-tocol between the client and the server, which enables the client to login successfully using𝑃 𝑊 and𝑆𝐶. An execution of this protocol is denoted by
𝒞[𝑃 𝑊, 𝑆𝐶]⇐2============−Factor−Login−Auth⇒ 𝒮[𝑆𝐾]→ {1,0}.
The output of this protocol is “1” (if the authentication is successful) or “0” (otherwise).
2-Factor-Password-Changing: This protocol enables a client to change his/her password after a successful authentication (i.e.,2-Factor-Login-Authoutputs “1”). The data in the smart-card will be updated accord-ingly.
Security Requirements. The attacker on SCPAPcan be classified from two aspects: the behavior of the attacker and the information compromised by the attacker.
As an interactive protocol, SCPAP may face passive attackers and active attackers.
Passive Attacker: A passive attacker can obtain messages transmitted between the client and the server. However, it cannot interact with the client or the server.
Active Attacker: An active attacker has the full control of the communication channel. In addition to message eavesdropping, the attacker can arbitrarily inject, modify and delete messages in the communi-cation between the client and the server.
On the other hand, SCPAP is a two-factor authenti-cation protocol, namely a successful login requires a valid smart-card and a correct password. According to the compromised secret, an attacker can be further classified into the following two types.
Attacker with Smart-Card: This type of attacker has the smart-card, and can read and modify the data in the smart-card. Notice that there are techniques to restrict access to both reading and modifying data in the smart-card. Nevertheless, from the security point of view, authentication protocols will be more robust if they are secure against attackers with the ability to do that.
Attacker with Password: The attacker is assumed to have the password of the client but is not given the smart-card.
Definition 2 (SecureSCPAP): The basic security re-quirement ofSCPAPis that it should be secure against
a passive attacker with smart-card and a passive attacker with password. It is certainly more desirable
that SCPAPis secure against an active attacker with smart-card and an active attacker with password. 2.2 Three-Factor Authentication
Three-factor authentication is very similar to smart-card-based password authentication, with the only difference that it requires biometric characteristics as an additional authentication factor.
Definition 3 (Three-Factor Authentication): A three-factor authentication protocol involves a client 𝒞 and a server𝒮, and consists of five phases.
3-Factor-Initialization: 𝒮 generates two system pa-rameters𝑃 𝐾and𝑆𝐾.𝑃 𝐾 is published in the system, and 𝑆𝐾 is kept secret by 𝒮. An execution of this algorithm is denoted by 3-Factor-Initialization(𝜅) →
(𝑃 𝐾, 𝑆𝐾), where𝜅is system’s security parameter. 3-Factor-Reg: A client 𝒞, with an initial password
𝑃 𝑊 and biometric characteristics 𝐵𝑖𝑜𝐷𝑎𝑡𝑎, registers on the system by running this interactive protocol with the server 𝒮. The output of this protocol is a smart-card𝑆𝐶, which is given to𝒞. An execution of this protocol is denoted by
𝒞[𝑃 𝑊, 𝐵𝑖𝑜𝐷𝑎𝑡𝑎]⇐3=======−Factor−Reg⇒ 𝒮[𝑆𝐾]→𝑆𝐶. 3-Factor-Login-Auth: This is another interactive pro-tocol between the client 𝒞 and the server 𝒮, which enables the client to login successfully using𝑃 𝑊,𝑆𝐶
and𝐵𝑖𝑜𝐷𝑎𝑡𝑎. An execution of this protocol is denoted by
𝒞[𝑃 𝑊, 𝑆𝐶, 𝐵𝑖𝑜𝐷𝑎𝑡𝑎]⇐3============−Factor−Login−Auth⇒ 𝒮[𝑆𝐾]
→ {1,0}.
The output of this protocol is “1” (if the authentication is successful) or “0” (otherwise).
3-Factor-Password-Changing: This protocol enables a client to change his/her password after a successful authentication. The data in the smart-card will be updated accordingly.
3-Factor-Biometrics-Changing2: An analogue of password-changing is biometrics-changing, namely the client can change his/her biometrics used in the authentication, e.g., using a different finger or using iris instead of finger.
While biometrics-changing is not supported by previ-ous three-factor authentication protocols, we believe it provides the client with more flexibility in the authentication.
Cost Effectiveness. In general, three-factor authen-tication is less computationally efficient than smart-card-based password authentication, since the former
2. This is motivated by the reviewer’s comment.
requires additional computational resources for bio-metric authentication. To make three-factor authenti-cation practical, biometric-related operations must be performed fast and accurately. As indicated in [16], the performance of extracting and authenticating cer-tain types of biometrics (e.g., face and keystroke) is not satisfactory, but others (e.g., fingerprint and iris) can satisfy practical requirements. (Examples include fingerprint recognition in laptops and biometric visa.)
Security Requirements. A three-factor authentication protocol can also face passive attackers and active attackersas defined inSCPAP(Section. 2.1). A passive (an active) attacker can be further classified into the following three types.
Type I Attacker has the smart-card and the bio-metric characteristics of the client. It is not given the password of that client.
Type II Attackerhas the password and the biomet-ric characteristics. It is not allowed to obtain the data in the smart-card.
Type III Attackerhas the smart-card and the pass-word of the client. It is not given the biometric char-acteristics of that client. Notice that such an attacker is free to mount any attacks on the (unknown) bio-metrics, including biometrics faking and attacks on the metadata (related to the biometrics) stored in the smart-card.
Definition 4 (Secure Three-Factor Authentication):
For a three-factor authentication protocol, the basic
security requirement is that it should be secure against passive type I, type II and type III attackers. It is certainly more desirable that a three-factor authentication protocol is secure against active type I, type II and type III attackers.
2.3 Fuzzy Extractor
This section briefly reviews the fuzzy extractor intro-duced in [21].
Metric Space. A metric space is a set ℳ with a distance function dis : ℳ × ℳ → ℝ+ = [0,∞) which obeys various natural properties. One example of metric space is Hamming metric: ℳ = ℱ𝑛 is over some alphabet ℱ (e.g., ℱ = {0,1}) and dis(𝑤, 𝑤′) is the number of positions in which they differ.
Statistic Distance. The statistical distance between two probability distributions 𝐴 and 𝐵 is denoted by
SD(𝐴, 𝐵) = 1 2
∑
𝑣∣Pr(𝐴=𝑣)−Pr(𝐵 =𝑣)∣.
Entropy. The min-entropy H∞(𝐴)of a random vari-able𝐴is−log(max𝑎Pr[𝐴=𝑎]).
Fuzzy Extractor. A fuzzy extractor extracts a nearly random string 𝑅 from its biometric input 𝑤 in an error-tolerant way. If the input changes but remains close, the extracted 𝑅 remains the same. To assist in recovering 𝑅 from a biometric input 𝑤′, a fuzzy
extractor outputs an auxiliary string 𝑃. However, 𝑅 remains uniformly random even given𝑃. The fuzzy extractor is formally defined as below.
Definition 5 (Fuzzy Extractor): An (ℳ, 𝑚, ℓ, 𝑡, 𝜖)
fuzzy extractor is given by two procedures(Gen,Rep). 1. −−−−−−−→𝐵𝑖𝑜𝐷𝑎𝑡𝑎:𝑤 Gen →
{
𝑅: Random String;
𝑃 : Auxiliary String. Gen is a probabilistic generation procedure, which on (biometric) input 𝑤 ∈ ℳ outputs an “extracted” string 𝑅 ∈ {0,1}ℓ and an auxiliary string 𝑃. For any distribution𝑊 onℳof min-entropy𝑚, if< 𝑅, 𝑃 >←
Gen(𝑊), then we haveSD(< 𝑅, 𝑃 >, < 𝑈ℓ, 𝑃 >)≤𝜖. Here, 𝑈ℓ denotes the uniform distribution on ℓ-bit binary strings.
2. −−−−−−−−→𝐵𝑖𝑜𝐷𝑎𝑡𝑎:𝑤′
𝑃 Rep →𝑅 if dis(𝑤, 𝑤 ′)≤𝑡. Repis a deterministic reproduction procedure allow-ing to recover 𝑅 from the corresponding auxiliary string 𝑃 and any vector𝑤′ close to𝑤: for all𝑤, 𝑤′ ∈ ℳ satisfying dis(𝑤, 𝑤′) ≤ 𝑡, if < 𝑅, 𝑃 >← Gen(𝑤), then we have Rep(𝑤′, 𝑃) =𝑅.
3 C
HALLENGES INB
IOMETRICA
UTHENTI-CATION
This section is devoted to a brief description of three subtle issues in biometric authentication, namely pri-vacy issues, error-tolerance and non-trusted devices. 3.1 Privacy Issues
A trivial way to include biometric authentication in smart-card-based password authentication is to scan the biometric characteristics and store the extracted biometric data as a template in the server. During the authentication, a comparison is made between the stored data and the input biometric data. If there is a sufficient commonality, a biometric authentication is said to be successful. This method, however, will raise several security risks, especially in a multi-server environment where user privacy is a concern (e.g., in a distributed system).Firstly, servers are not 100% secure. Servers with weak security protections can be broken in by attackers, who will obtain the biometric data on those servers.Secondly, servers are not 100% trusted. Server-A (equivalently, its curious administrator) could try to login toServer-Bon behalf of their common clients, or distribute users’ biometric information in the system. In either case, user privacy will be compromised, and a single-point failure on a server will downgrade the whole system’s security level from three-factor authentication to two-factor authentication (since clients are likely to register the same biometric characteristics on all servers in the system).
Notice that there is a potential solution to preserve user privacy even the server has a copy of clients’ bio-metric data. The method is called “cancellable biomet-rics” [22]: Biometric data can be intentionally distorted in a repeatable manner. This allows the client to gen-erate different biometrics for different purposes and register different biometric data on different servers. Furthermore, the client can cancel his/her biometric data on the server and enroll a new one whenever nec-essary (e.g., if the biometric data stored on the server is compromised). However, cancellable biometrics has certain limitations [23]. To date, there are generally two methods to implement cancellable biometrics: (1) Biometric Salting and (2) Non-invertible Transforms. The former method needs an auxiliary data which must be kept secret, and it remains as a challenging work to design a non-invertible transform function satisfying both performance and non-invertibility re-quirements. Due to these concerns, our framework does not use cancellable biometrics.
3.2 Error-Tolerance and Non-trusted Devices One challenge in biometric authentication is that bio-metric characteristics are prone to various noise dur-ing data collectdur-ing, and this natural feature makes it impossible to reproduce precisely each time biometric characteristics are measured. A practical biometric au-thentication protocol cannot simply compare the hash or the encryption of biometric templates (which re-quires an exact match). Instead, biometric authentica-tion must tolerate failures within a reasonable bound. Another issue in biometric authentication is that the verification of biometrics should be performed by the server instead of other devices, since such devices are usually remotely located from the server and cannot be fully trusted. The above two subtle issues seem to be neglected in a recent three-factor authentication protocol proposed by Li and Hwang [18]. The detailed analysis of their protocol is given in the Supplemen-tary File (Section 1).
4 A G
ENERICF
RAMEWORK FORT
HREE-F
ACTORA
UTHENTICATIONThis section describes a generic approach for three-factor authentication from a smart-card-based pass-word authentication protocol (SCPAP, Definition 1) and a fuzzy extractor (Definition 5). The design phi-losophy of our approach can be found in the Sup-plementary File (Section 2), where a graphical repre-sentation (Fig. 1) is given to illustrate the three-factor authentication process.
4.1 3-Factor-Initialization
We first describe the initialization phase in the pro-posed framework. This phase generates a public pa-rameter and a secret papa-rameter for three-factor
au-thentication. Let 2-Factor-Initialization be the initial-ization algorithm in the underlying SCPAP. Given a security parameter 𝜅, the authentication server 𝒮 in our framework runs2-Factor-Initializationtwice: 1. 2-Factor-Initialization(𝜅)→(𝑃 𝐾1, 𝑆𝐾1). 2. 2-Factor-Initialization(𝜅)→(𝑃 𝐾2, 𝑆𝐾2).
Notice that the two pairs (𝑃 𝐾1, 𝑆𝐾1) and
(𝑃 𝐾2, 𝑆𝐾2) are generated in an independent manner.
The public parameter in three-factor authentication is the pair(𝑃 𝐾1, 𝑃 𝐾2), and the corresponding secret parameter is the pair(𝑆𝐾1, 𝑆𝐾2).
4.2 3-Factor-Reg
The registration in our framework is made up of the following steps. In the following, let ℎ be a crypto-graphic hash function chosen by the client 𝒞.
1. An initial password𝑃 𝑊1 is chosen by the client𝒞. 2.Gen(𝐵𝑖𝑜𝐷𝑎𝑡𝑎)→(𝑅, 𝑃).
A pair(𝑅, 𝑃)is generated using𝒞’s biometric tem-plate 𝐵𝑖𝑜𝐷𝑎𝑡𝑎 and the algorithm Gen in the fuzzy extractor. We assume there is a device extracting the biometric template and carrying out all calculations in the fuzzy extractor. Notice that this step does not involve any interaction with the authentication server. 3. Let𝑃 𝑊2=ℎ(𝑅).
The second “password”𝑃 𝑊2is calculated from the random string𝑅.𝑅will be deleted immediately once the calculation of 𝑃 𝑊2 is complete.
4.𝒞[𝑃 𝑊1]⇐2−=======Factor−Reg⇒ 𝒮[𝑆𝐾1]→Data1.
𝒞(using𝑃 𝑊1) and𝒮(using𝑆𝐾1) first execute the 2-Factor-Regprotocol ofSCPAP. LetData1be the data generated by𝒮 at this step.
5.𝒞[𝑃 𝑊2]⇐2=======−Factor−Reg⇒ 𝒮[𝑆𝐾2]→Data2.
𝒞and𝒮have another run of2-Factor-Regprotocol, where 𝒞 registers 𝑃 𝑊2 and 𝒮 uses 𝑆𝐾2 to generate the corresponding data Data2. 𝑃 𝑊2 will be deleted immediately once the registration is complete. 6.𝒮 generates a smart-card 𝑆𝐶which containsData1 and Data2. The client𝒞 is given𝑆𝐶.
7.𝒞updates the data in the smart-card𝑆𝐶by adding
Data3={the auxiliary string 𝑃, the description of the hash functionℎ, the reproduction algorithmRep}. This completes the description of the 3-Factor-Reg protocol in our framework. As in the existing au-thentication protocols, we assume the registration phase is performed in a secure and reliable envi-ronment, and particularly the device at Step. 2 is trusted for its purpose. After a successful registration, the client 𝒞 will have a smart-card 𝑆𝐶 (contains {Data1,Data2,Data3}). The initial password is 𝑃 𝑊1. Notice that neither the server nor the smart-card has a copy of client’s biometric characteristics.
4.3 3-Factor-Login-Auth
The client 𝒞 first inserts the smart-card 𝑆𝐶
into a card reader, which will extract the data {Data1,Data2,Data3}. (Recall thatData3= (𝑃, ℎ,Rep).) After that, 𝒞 inputs the password 𝑃 𝑊1 and his/her biometric data3. Let 𝐵𝑖𝑜𝐷𝑎𝑡𝑎′ be the biometric template extracted at this phase. The login is made up of the following three steps.
1. Calculate𝑅=Rep(𝐵𝑖𝑜𝐷𝑎𝑡𝑎′, 𝑃)and 𝑃 𝑊2=ℎ(𝑅). A random string𝑅is calculated from the biometric template𝐵𝑖𝑜𝐷𝑎𝑡𝑎′ and the auxiliary string𝑃 (which is stored in the smart-card) by running the algorithm Rep. The random string 𝑅 will be the same as the one generated at the registration phase if 𝐵𝑖𝑜𝐷𝑎𝑡𝑎′ is close to 𝐵𝑖𝑜𝐷𝑎𝑡𝑎. More precisely, one can obtain an identical 𝑅 if dis(𝐵𝑖𝑜𝐷𝑎𝑡𝑎, 𝐵𝑖𝑜𝐷𝑎𝑡𝑎′) < 𝑡 in an
(ℳ, 𝑚, ℓ, 𝑡, 𝜖)fuzzy extractor (Definition 5). 2.𝒞[𝑃 𝑊1, 𝑆𝐶(Data1)]⇐2============−Factor−Login−Auth⇒ 𝒮[𝑆𝐾1].
𝒞 (using 𝑃 𝑊1 and Data1) and 𝒮 (using 𝑆𝐾1) first execute the2-Factor-Login-Authprotocol of SCPAP. 3.𝒞[𝑃 𝑊2, 𝑆𝐶(Data2)]⇐2============−Factor−Login−Auth⇒ 𝒮[𝑆𝐾2].
𝒞 and 𝒮 have another run of 2-Factor-Login-Auth, where𝒞 uses𝑃 𝑊2 andData2, and 𝒮 uses𝑆𝐾2.
This completes the description of the 3-Factor-Login-Auth protocol in our framework. The protocol outputs “1” if and only if both executions of 2-Factor-Login-Authprotocol output “1”. Otherwise, the protocol outputs “0”.
Remark. In order to make the protocol clear, we separate the authentication by two steps (Step. 2 and Step. 3). This also shows the flexibility of our protocol: According to the criticality of the requested service, the service provider (i.e., the server𝒮 in our protocol) can determine the factors used in the authentication. Namely, the service provider can authenticate the client based on “smart-card and password” (Step. 2), “smart-card and biometrics” (Step. 1 and Step. 3), or ”smart-card, password and biometrics” (Step. 1-3). In the case of all three factors are required, client and server can carry out the authentication more efficiently. Let {ℳ1,ℛ1,ℳ2,ℛ2,⋅ ⋅ ⋅,ℳ𝑛,ℛ𝑛} be a transcript of the authentication at Step. 2, and let {ℳ′
1,ℛ′1,ℳ′2,ℛ2′,⋅ ⋅ ⋅,ℳ′𝑛,ℛ′𝑛} be that at Step. 3. 4.4 3-Factor-Password-Changing
After a successful login (i.e.,3-Factor-Login-Auth out-puts “1”), the client and the server can execute 2-Factor-Password-Changing of SCPAP to change the password 𝑃 𝑊1 to 𝑃 𝑊1′ and update the data in the smart-card accordingly.
3. The biometric extractor is trusted to extract biometrics properly and never divulges the biometric information. This is a weaker assumption than using a fully trusted device to verify biometrics.
4.5 3-Factor-Biometrics-Changing
Similarly, one can change the biometrics used in the authentication. To do that, the client can generate a new “password” 𝑃 𝑊′
2 (determined by the new bio-metrics) by running Step. 2-3 in the registration phase. After that, the client and the server can execute 2-Factor-Password-ChangingofSCPAPto change𝑃 𝑊2 to 𝑃 𝑊′
2 and update the data in the smart-card ac-cordingly. As in the registration,𝑃 𝑊′
2 will be deleted immediately once this phase is complete.
5 S
CHEMEA
NALYSISThis section is devoted to the analysis of the generic framework.
Security Analysis. In the supplementary file (Sec-tion 3.1-3.3), we show that the generic construc(Sec-tion satisfies all security requirements of 3-factor authenti-cation, if the underlyingSCPAPsatisfies Definition 2 and the fuzzy extractor satisfies Definition 5. Other se-curity properties of the proposed framework are also investigated in the supplementary file (Section 3.4).
Comparison with Previous Protocols. The purpose of this paper is to investigate a systematic approach for the design of secure three-factor authentication. Thus, like almost all generic constructions, our framework does not have advantages from the computational point of view. Nevertheless, it is still affordable for smart-card applications, due to the efficient designs ofSCPAPand fuzzy extractor: There are a number of efficientSCPAPs in the literature, and fuzzy extractors can be constructed from error-correcting code and standard pairwise-independent hashing [21], both of which require only lightweight operations. In addi-tion, the proposed framework enjoys several desirable properties ofSCPAP(as shown in the supplementary file). This saves the time and effort on the design of three-factor authentication with those properties, and more importantly avoids the confusing “broken and improved” process in the existing research on three-factor authentication.
6 C
ONCLUSIONPreserving security and privacy is a challenging is-sue in distributed systems. This paper makes a step forward in solving this issue by proposing a generic framework for three-factor authentication to protect services and resources from unauthorized use. The authentication is based on password, smart-card and biometrics. Our framework not only demonstrates how to obtain secure three-factor authentication from two-factor authentication, but also addresses sev-eral prominent issues of biometric authentication in distributed systems (e.g., client privacy and error-tolerance). The analysis shows that the framework satisfies all security requirements on three-factor au-thentication and has several other practice-friendly
properties (e.g., key-agreement, forward security and mutual authentication). The future work is to fully identify the practical threats on three-factor authen-tication and develop concrete three-factor authentica-tion protocols with better performances.
R
EFERENCES[1] D.V. Klein, “Foiling the Cracker: A Survey of, and Improve-ments to, Password Security,” Proc. Second USENIX Work-shop Security, 1990.
[2] A.K. Jain, R. Bolle, and S. Pankanti, Eds., “Biometrics: Personal Identification in Networked Society,” Norwell, MA: Kluwer, 1999.
[3] D. Maltoni, D. Maio, A. K. Jain, and S. Prabhakar, “Handbook of Fingerprint Recognition,” New York: Springer-Verlag, 2003. [4] Ed. Dawson, J. Lopez, J. A. Montenegro, and E. Okamoto, “BAAI: Biometric Authentication and Authorization Infras-tructure,” Proc. IEEE Intern. Conference on Information Tech-nology: Research and Education (ITRE’03), pp. 274-278, 2004. [5] J.K. Lee, S.R. Ryu, and K.Y. Yoo, “Fingerprint-Based Re-mote User Authentication Scheme Using Smart Cards,” Elec-tron. Lett., vol. 38, no. 12, pp. 554-555, Jun. 2002.
[6] C.C. Chang and I.C. Lin, “Remarks on Fingerprint-Based Remote User Authentication Scheme Using Smart Cards,” ACM SIGOPS Operating Syst. Rev., vol. 38, no. 4, pp. 91-96, Oct. 2004.
[7] C.H. Lin and Y.Y. Lai, “A Flexible Biometrics Remote User Au-thentication Scheme,” Comput. Standards Interfaces, vol. 27, no. 1, pp. 19-23, Nov. 2004.
[8] M.K. Khan and J. Zhang, “Improving the Security of ‘A Flex-ible Biometrics Remote User Authentication Scheme’,” Com-put. Standards Interfaces, vol. 29, no. 1, pp. 82-85, Jan. 2007. [9] C.J. Mitchell and Q. Tang, “Security of the Lin-Lai Smart
Card based User Authentication Scheme,” Technical Re-port, RHULMA20051, available at http://www.ma.rhul.ac. uk/static/techrep/2005/RHUL-MA-2005-1.pdf, Jan. 2005. [10] E.J. Yoon and K.Y. Yoo, “A New Efficient Fingerprint-Based
Remote User Authentication Scheme for Multimedia Sys-tems,” Proc. Ninth Int’l Conf. Knowledge-Based Intelligent Information and Engineering Systems (KES), 2005.
[11] Y. Lee and T. Kwon, “An improved Fingerprint-Based Remote User Authentication Scheme Using Smart Cards,” Proc. Int’l Conf. Computational Science and Its Applications (ICCSA), 2006.
[12] H.S. Kim, J.K. Lee, and K.Y. Yoo, “ID-based Password Au-thentication Scheme Using Smart Cards and Fingerprints,” ACM SIGOPS Operating Syst. Rev., vol. 37, no. 4, pp. 32-41, Oct. 2003.
[13] M. Scott, “Cryptanalysis of An ID-based Password Authen-tication Scheme using Smart Cards and Fingerprints,” ACM SIGOPS Operating Syst. Rev., vol. 38, no. 2, pp. 73-75, Apr. 2004.
[14] A. Bhargav-Spantzel, A.C. Squicciarini, E. Bertino, S. Modi, M. Young, and S.J. Elliott, “Privacy Preserving Multi-Factor Authentication with Biometrics,” J. Comput. Security, vol. 15, no. 5, pp. 529-560, 2007.
[15] S. Goldwasser, S. Micali, and C. Rackoff, “The Knowledge Complexity of Interactive Proof-Systems,” SIAM J. Comput., vol. 18, no. 1, pp. 186-208, Feb. 1989.
[16] U. Uludag, S. Pankanti, S. Prabhakar, and A. K. Jain, “Biomet-ric Cryptosystems: Issues and Challenges,” Proc. IEEE, Special Issue on Multimedia Security for Digital Rights Management, vol. 92, no. 6, pp. 948-960, Jun. 2004.
[17] C-I. Fan and Y-H. Lin, “Provably Secure Remote Truly Three-Factor Authentication Scheme With Privacy Protection on Biometrics,” IEEE Trans.Inf.Forensics Security, vol. 4, no. 4, pp. 933-945, Dec. 2009.
[18] C.T. Li, M-S. Hwang, “An Efficient Biometrics-based Remote User Authentication Scheme using Smart Cards,” J. Network and Computer Applications, vol. 33, no. 1, pp. 1-5, 2010. [19] P.C. Kocher, J. Jaffe, and B. Jun, “Differential Power Analysis,”
[20] T.S. Messerges, E.A. Dabbish, and R.H. Sloan, “Examining Smart-Card Security Under the Threat of Power Analysis Attacks,” IEEE Trans. Computers., vol. 51, no. 5, pp. 541-552, May. 2002.
[21] Y. Dodis, L. Reyzin and A. Smith, “Fuzzy Extractors: How to Generate Strong Keys from Biometrics and Other Noisy Data,” Proc. Eurocrypt 2004, pp. 523-540, 2004.
[22] N.K. Ratha, J.H. Connell, and R.M. Bolle, ”Enhancing Security and Privacy in Biometrics-based Authentication Systems,” IBM systems Journal, vol. 40, no. 3, pp. 614-634, 2001. [23] M-H. Lim and A.B.J. Teoh, “Cancelable Biometrics”,
Scholar-pedia, 5(1): 9201, 2010.
[24] H. Tian, X. Chen, and Y. Ding, “Analysis of Two Types Deniable Authentication Protocols,” I. J. Network Security, vol. 9, no. 3, pp. 242-246, Jul. 2009.
Xinyi Huangreceived his PhD in Computer Science (Information Security) in 2009 from the School of Computer Science and Soft-ware Engineering, University of Wollongong, Australia. He is currently a Post-Doctoral Fel-low in the School of Information Systems, Singapore Management University. His re-search interests focus on the cryptography and its applications in information systems. He has published more than 40 referred re-search papers at international conferences and journals. His research results have more than 350 citations.
Yang Xiang received his PhD in computer science from Deakin University, Melbourne, Australia, in April 2007. He is currently with School of Information Technology, Deakin University. His research interests include net-work and system security, distributed sys-tems, and wireless systems. In particular, he is currently leading in a research group developing active defense systems against large-scale network attacks and new Inter-net security countermeasures. Dr. Xiang has published more than 100 research papers in international journals and conferences. He has served as Program/General Chair for many international conferences such as ICA3PP 11, IEEE HPCC 10/09, IEEE ICPADS 08, NSS 10/09/08/07. He is on the editorial board of Journal of Network and Computer Applications. He is a member of the IEEE.
Ashley Chonka completed his PhD at Deakin University on May 5th, 2010. He also hold a bachelor of computer science from 2001 and a Masters of Information Techol-ogy (Professional) from 2005. He has suc-cessfully published over 20 peer-reviewed papers and is currently a Lecturer at Deakin University. Current Research Interests are in the area of Network security, Multi-Core, CyberWarfare, Chaos Theory and Honeypot systems.
Jianying Zhouis a senior scientist at Insti-tute for Infocomm Research (I2R), and heads the Network Security Group. He received PhD in Information Security from University of London in 1997. His research interests are in computer and network security, cryp-tographic protocol, mobile and wireless com-munications security. He has published about 150 referred papers at international confer-ences and journals. He is actively involved in the academic community, having served in many international conference committees as general chair, program chair and PC member, having been in the editorial board and as a regular reviewer for many international journals. He is a co-founder and steering committee member of International Conference on Applied Cryptography and Network Security (ACNS).
Robert H. Dengreceived his Bachelor from National University of Defense Technology, China, his MSc and PhD from the Illinois Institute of Technology, USA. He has been with the Singapore Management University since 2004, and is currently Professor, Asso-ciate Dean for Faculty & Research, School of Information Systems. Prior to this, he was Principal Scientist and Manager of Infocomm Security Department, Institute for Infocomm Research, Singapore.
He has 26 patents and more than 200 technical publications in international conferences and journals in the areas of computer networks, network security and information security. He has served as general chair, program committee chair and program committee member of numerous international conferences. He is an Associate Editor of the IEEE Transactions on Information Forensics and Se-curity, Associate Editor of Security and Communication Networks Journal (John Wiley), and member of Editorial Board of Journal of Computer Science and Technology (the Chinese Academy of Sciences).
He received the University Outstanding Researcher Award from the National University of Singapore in 1999 and the Lee Kuan Yew Fellow for Research Excellence from the Singapore Management University in 2006. He was named Community Service Star and Showcased Senior Information Security Professional by (ISC)2
un-der its Asia-Pacific Information Security Leaun-dership Achievements program in 2010.
